November 6, 2023 at 01:00PM
QNAP has released security updates to address two critical vulnerabilities in its operating system. The first vulnerability, tracked as CVE-2023-23368, is a command injection bug affecting QTS, QuTS hero, and QuTScloud. The second vulnerability, CVE-2023-23369, is a command injection flaw in QTS, Multimedia Console, and Media Streaming add-on. Users are advised to update to the latest versions to protect against potential threats.
Meeting Takeaways:
– QNAP has released security updates to address two critical security flaws in their operating system.
– The first vulnerability, tracked as CVE-2023-23368, is a command injection bug affecting QTS, QuTS hero, and QuTScloud. It allows remote attackers to execute commands via a network.
– The affected versions and their corresponding fixes are as follows:
– QTS 5.0.x (Fixed in QTS 5.0.1.2376 build 20230421 and later)
– QTS 4.5.x (Fixed in QTS 4.5.4.2374 build 20230416 and later)
– QuTS hero h5.0.x (Fixed in QuTS hero h5.0.1.2376 build 20230421 and later)
– QuTS hero h4.5.x (Fixed in QuTS hero h4.5.4.2374 build 20230417 and later)
– QuTScloud c5.0.x (Fixed in QuTScloud c5.0.1.2374 and later)
– The second vulnerability, tracked as CVE-2023-23369, is another command injection flaw in QTS, Multimedia Console, and Media Streaming add-on. It also allows remote attackers to execute commands via a network.
– The impacted versions and their fixes are as follows:
– QTS 5.1.x (Fixed in QTS 5.1.0.2399 build 20230515 and later)
– QTS 4.3.6 (Fixed in QTS 4.3.6.2441 build 20230621 and later)
– QTS 4.3.4 (Fixed in QTS 4.3.4.2451 build 20230621 and later)
– QTS 4.3.3 (Fixed in QTS 4.3.3.2420 build 20230621 and later)
– QTS 4.2.x (Fixed in QTS 4.2.6 build 20230621 and later)
– Multimedia Console 2.1.x (Fixed in Multimedia Console 2.1.2 (2023/05/04) and later)
– Multimedia Console 1.4.x (Fixed in Multimedia Console 1.4.8 (2023/05/05) and later)
– Media Streaming add-on 500.1.x (Fixed in Media Streaming add-on 500.1.1.2 (2023/06/12) and later)
– Media Streaming add-on 500.0.x (Fixed in Media Streaming add-on 500.0.0.11 (2023/06/16) and later)
– Users running the affected versions are urged to update to the latest version to mitigate potential threats.
– QNAP recently took down a malicious server used in brute-force attacks targeting network-attached storage (NAS) devices with weak passwords.